Skip to content

Kévin Dunglas

Founder of Les-Tilleuls.coop (worker-owned cooperative). Creator of API Platform, Mercure.rocks, Vulcain.rocks and of some Symfony components.

Menu
  • Talks
  • Resume
  • Sponsor me
  • Contact
Menu
Mitigate Attacks on your PHP Supply Chain

Mitigate Attacks on your PHP Supply Chain

Posted on May 12, 2023May 12, 2023 by Kévin Dunglas

Here are the slides I presented at the AFUP Day Lille 2023 and the companion Pull Request on Composer:

Abstract

When you install a JavaScript library, it usually comes with hundreds of transitive dependencies, i.e. libraries that are installed as a side effect because they are essential to the operation of the library you want to use.

This proliferation of dependencies opens the door to supply chain attacks. All it takes is for one of the repositories hosting one of these hundreds of libraries, or one of the maintainers, to be malicious, and it becomes possible to inject malware into yours, which can target you or your organization, and even the end users of your software.

As I explained back in 2018, the PHP ecosystem is slightly less susceptible to this type of attack than the JavaScript ecosystem, because maintainers of popular libraries and frameworks are relatively careful not to rely on too many third-party dependencies, which limits the problem… but doesn’t totally prevent it though.

What if we could do better with our favorite library management software: Composer? During this talk, I present how supply chain attacks work, outline some organizational methods that could limit the problem, and finally, explain how to take back full control of your vendor/ folder thanks to a Composer patch I crafted for this occasion.

Related posts:

  1. NPM dependency hell: comparison with Symfony, Laravel and API Platform
  2. DunglasAngularCsrfBundle: protect your Symfony / AngularJS apps against CSRF attacks
  3. Symfony ImportMaps: Manage Your JavaScript Dependencies Without Node
  4. Symfony 4 Run-through (Forum PHP 2017)

Leave a Reply Cancel reply

Follow me on Twitter

My Tweets

Subscribe to this blog

Recent Posts

  • Mitigate Attacks on your PHP Supply Chain
  • How Can JSON-LD Help You Sell More?
  • Symfony ImportMaps: Manage Your JavaScript Dependencies Without Node
  • Read the Linux Manual Pages on Mac and BSD, Directly From the Terminal
  • Ne vous lamentez pas, organisez-vous !

Top Posts & Pages

  • JSON Columns and Doctrine DBAL 3 Upgrade
  • Securely Access Private Git Repositories and Composer Packages in Docker Builds
  • Generate a Symfony password hash from the command line
  • Goroutines, threads, and thread IDs
  • Preventing CORS Preflight Requests Using Content Negotiation
  • Symfony's New Native Docker Support (Symfony World)
  • Using Next.js and Material UI Together
  • FrankenPHP: The Modern Php App Server, written in Go
  • Say Hello to Mercure 0.10!
  • Continuous Integration for Symfony apps, the modern stack: quality checks, private Composer, headless browser testing...

Persistence in PHP with the Doctrine ORM

Persistence in PHP with the Doctrine ORM

Tags

Apache API API Platform Buzz Caddy Docker Doctrine Go Google GraphQL HTTP/2 Hydra hypermedia Hébergement Javascript JSON-LD Kubernetes La Coopérative des Tilleuls Les-Tilleuls.coop Lille Linux Mac Mercure Messagerie Instantanée MySQL PHP Punk Rock Python React REST Rock'n'Roll RSS Schema.org Security SEO SEO Symfony Symfony Live Sécurité Ubuntu Web 2.0 Windows Live Messenger Wordpress XHTML XML

Archives

Categories

  • DevOps (25)
  • Mercure (4)
  • Opinions (91)
  • Programming (188)
    • Android (5)
    • Go (13)
    • JavaScript (45)
    • PHP (146)
      • API Platform (66)
      • Symfony (91)
    • Python (14)
      • Django (5)
  • Security (15)
  • SEO (24)
  • Talks (40)
  • Ubuntu (68)
  • Wordpress (6)

Social

  • Mastodon
  • Twitter
  • LinkedIn
  • YouTube
  • GitHub

Links

  • API Platform
  • Les-Tilleuls.coop
  • Mercure.rocks
  • Vulcain.rocks
© 2023 Kévin Dunglas | Powered by Minimalist Blog WordPress Theme